varnish-cache/vmod/vmod_proxy.c
1
/*-
2
 * Copyright (c) 2018 GANDI SAS
3
 * All rights reserved.
4
 *
5
 * Author: Emmanuel Hocdet <manu@gandi.net>
6
 *
7
 * SPDX-License-Identifier: BSD-2-Clause
8
 *
9
 * Redistribution and use in source and binary forms, with or without
10
 * modification, are permitted provided that the following conditions
11
 * are met:
12
 * 1. Redistributions of source code must retain the above copyright
13
 *    notice, this list of conditions and the following disclaimer.
14
 * 2. Redistributions in binary form must reproduce the above copyright
15
 *    notice, this list of conditions and the following disclaimer in the
16
 *    documentation and/or other materials provided with the distribution.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21
 * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
22
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28
 * SUCH DAMAGE.
29
 */
30
31
#include "config.h"
32
33
#include <ctype.h>
34
#include <stdlib.h>
35
#include <string.h>
36
37
#include "cache/cache.h"
38
39
#include "vend.h"
40
41
#include "proxy/cache_proxy.h"
42
43
#include "vcc_proxy_if.h"
44
45
46
struct pp2_tlv_ssl {
47
        uint8_t  client;
48
        uint32_t verify;
49
}__attribute__((packed));
50
51
#define PP2_CLIENT_SSL           0x01
52
#define PP2_CLIENT_CERT_CONN     0x02
53
#define PP2_CLIENT_CERT_SESS     0x04
54
55
static VCL_BOOL
56 378
tlv_ssl_flag(VRT_CTX, int flag)
57
{
58
        struct pp2_tlv_ssl *dst;
59
        int len;
60 378
        CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
61
62 378
        if (VPX_tlv(ctx->req, PP2_TYPE_SSL, (void **)&dst, &len))
63 314
                return (0);
64
65 63
        return ((dst->client & flag) == flag);
66 378
}
67
68
VCL_BOOL v_matchproto_(td_proxy_is_ssl)
69 126
vmod_is_ssl(VRT_CTX)
70
{
71 126
        return (tlv_ssl_flag(ctx, PP2_CLIENT_SSL));
72
}
73
74
VCL_BOOL v_matchproto_(td_proxy_client_has_cert_sess)
75 126
vmod_client_has_cert_sess(VRT_CTX)
76
{
77 126
        return (tlv_ssl_flag(ctx, PP2_CLIENT_CERT_SESS));
78
}
79
80
VCL_BOOL v_matchproto_(td_proxy_client_has_cert_conn)
81 126
vmod_client_has_cert_conn(VRT_CTX)
82
{
83 126
        return (tlv_ssl_flag(ctx, PP2_CLIENT_CERT_CONN));
84
}
85
86
/* return come from SSL_get_verify_result */
87
VCL_INT v_matchproto_(td_proxy_ssl_verify_result)
88 126
vmod_ssl_verify_result(VRT_CTX)
89
{
90
        struct pp2_tlv_ssl *dst;
91
        int len;
92 126
        CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
93
94 126
        if (VPX_tlv(ctx->req, PP2_TYPE_SSL, (void **)&dst, &len))
95 104
                return (0); /* X509_V_OK */
96
97 21
        return (vbe32dec(&dst->verify));
98 125
}
99
100
static VCL_STRING
101 879
tlv_string(VRT_CTX, int tlv)
102
{
103
        char *dst, *d;
104
        int len;
105
106 879
        CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
107
108 879
        if (VPX_tlv(ctx->req, tlv, (void **)&dst, &len))
109 755
                return (NULL);
110 126
        d = WS_Alloc(ctx->ws, len+1);
111 126
        if (d == NULL) {
112 0
                VRT_fail(ctx, "proxy.TLV: out of workspace");
113 0
                return (NULL);
114
        }
115 126
        memcpy(d, dst, len);
116 126
        d[len] = '\0';
117 126
        return (d);
118 881
}
119
120
VCL_STRING v_matchproto_(td_proxy_alpn)
121 126
vmod_alpn(VRT_CTX)
122
{
123 126
        return (tlv_string(ctx, PP2_TYPE_ALPN));
124
}
125
126
VCL_STRING v_matchproto_(td_proxy_authority)
127 125
vmod_authority(VRT_CTX)
128
{
129 125
        return (tlv_string(ctx, PP2_TYPE_AUTHORITY));
130
}
131
132
VCL_STRING v_matchproto_(td_proxy_ssl_version)
133 126
vmod_ssl_version(VRT_CTX)
134
{
135 126
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_VERSION));
136
}
137
138
VCL_STRING v_matchproto_(td_proxy_ssl_cipher)
139 126
vmod_ssl_cipher(VRT_CTX)
140
{
141 126
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_CIPHER));
142
}
143
144
VCL_STRING v_matchproto_(td_proxy_cert_sign)
145 126
vmod_cert_sign(VRT_CTX)
146
{
147 126
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_SIG_ALG));
148
}
149
150
VCL_STRING v_matchproto_(td_proxy_cert_key)
151 126
vmod_cert_key(VRT_CTX)
152
{
153 126
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_KEY_ALG));
154
}
155
156
VCL_STRING v_matchproto_(td_proxy_client_cert_cn)
157 125
vmod_client_cert_cn(VRT_CTX)
158
{
159 125
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_CN));
160
}